Brandon Harder
Regina Leader-Post
The office manager of a Regina medical clinic accessed an individual’s health records 37 times in 2021 and 2022. But the person whose records were accessed was never a patient of the clinic.
Those actions were deemed inappropriate in all instances by eHealth Saskatchewan, the government entity in charge of electronic health records.
Now, Saskatchewan’s Information and Privacy Commissioner Ronald Kruzeniski says more should be done about it. That includes forwarding the investigation files to prosecutors so they can consider whether offences have occurred and charges should be laid.
The recommendations come via the commissioner’s Sept. 20 report following his office’s own investigation into the incident — not the first of its kind for Kruzeniski’s crew.
It states how patients are able to request an audit report from eHealth which shows who has accessed their personal health information.
The report lays out how the affected person in this case — referred to as the complainant — did just that. The complainant became concerned upon learning that the office manager at Regina’s Prairie Internal Medicine Specialists had accessed their records 37 times.
The complainant tried to get in contact with Dr. Siva Karunakaran at the clinic, but the doctor didn’t respond within 30 days, as requested. Eventually, Kruzeniski’s office became involved.
Kruzeniski found a privacy breach had occurred. While the office manager’s privileges to view health information were suspended for six months, the commissioner felt more should’ve been done to determine the extent of the breach, such as investigative steps to find out whether the complainant’s information had been disclosed.
He recommended Karunakaran do that now, and take steps to recover and contain the health information if it was disclosed.
According to the commissioner’s report, the doctor did investigate how the breach transpired.
Pertaining to 33 of the instances that occurred in April 2021, the report states: “Dr. Karunakaran was able to determine that the Complainant has a connection to a friend of the Office Manager’s family member.”
“Dr. Karunakaran believes that at around the time of the breach, the Complainant was giving birth to a child. Dr. Karunakaran believes that the Office Manager accessed the Complainant’s personal health information for the purpose of obtaining information about the birth of the Complainant’s child.”
A letter from Karunakaran’s lawyer sent to the privacy commissioner indicated that while the office manager indicated she was familiar with office policy around accessing information, she did not adhere to it.
In fact, the officer manager authored many of the sections in the clinic’s “Privacy and Security Policies Manual,” and as a result should’ve been aware that “snooping” was inappropriate, Kruzeniski’s report states.
Further, the report states that the office manager would’ve been required to watch a video prior to being granted access to health information. The video indicates that accessing health information under false pretences or when not authorized “qualifies as a privacy breach and is punishable by a fine up to $50,000 and imprisonment of up to one year.”
A letter from Karunakaran’s lawyer stated that patient safety or care would unlikely be affected as a result of the breach.
“I disagree,” wrote the commissioner.
When health information is accessed inappropriately, patient trust in the health-care system is adversely affected, his report states, documenting that his office has continued to investigate such incidents. It references one in which the information of more than 100 people was inappropriately accessed so that the person accessing the records could “satisfy their own personal curiosity.” Another incident referenced includes health-care workers altering medical records.
“I caution anyone who believes that snooping does not adversely affect patient safety or care,” Kruzeniski wrote.
“It does.”
Further to the recommendations, the commissioner also suggested that a plan be developed to “conduct random user audits of all employees at the Clinic on an ongoing basis.”
Additionally, he recommended that if the office manager has access to personal health information, she should be audited “indefinitely.”
Karunakaran was also asked to report back to Kruzeniski’s office and to the complainant within 30 days regarding the results of his efforts toward recovery and containment of the complainant’s health information.
bharder@postmedia.com
